Verify protocol using OpenSSL command line
https://stackoverflow.com//questions/23045588
-
21-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
In light of the recent heartbleed flaw, I am trying to do some analysis of various systems that I connect with (email, login pages, etc). I am trying to use the OpenSSL commandline tool to verify what protocols the systems I connect with are using.
Part of the response is:
...
SSL-Session:
Protocol : TLSv1
...
Is that all I need to verify that this service is not using Openssl (particularly the buggy 1.0.1 versions)? (I am thinking that it ISN'T enough, as I connected with a server that I KNOW is using Openssl 0.9.8 and it responded with the same string as shown above.)
المحلول
TLSv1 refers to the protocol TLS version 1, while openssl, NSS, GnuTLS, PolarSSL ... are implementations of the protocol. You usually cannot detect just from a normal TLS dialog which SSL implementation or which version of the implementation is running on the other side, so you better use any of the available tools for checking if the server is vulnerable.
You can try to use the -tlsextdebug option of openssl s_client to find out, which TLS extension the other side supports. Vulnerable versions usually show that they support the heartbeat extension, but I would not count on it. And of course fixed versions support this extension too. If support for the extension is advertised you find this in the output of openssl s_client -tlsextdebug -connect ...:
TLS server extension "heartbeat" (id=15), len=1
